A recent report from Computerworld identifies a surge of malware attacks in the wake of Osama bin Laden’s death. Staff Writer Gregg Keizer reported that hackers seized the opportunity to shove malware into PCs when users, prompted by phony claims of photographs and video of the slaying of bin Laden, unwittingly activate the attacks, according to security researchers.
“It’s not really surprising,” said Mikko Hypponen, the chief research officer of Helsinki-based F-Secure, indicating that events-related malware was expected. F-Secure warned users to ignore/delete spam that included the “Fotos_Osama_Bin_Laden.zip” archive attachment. The messages claim the file contains photos of bin Laden after he was shot and killed by U.S. special forces during a 40-minute operation in his compound in the city of Abbottabad, in northern Pakistan.
Running the resulting Windows executable file doesn’t display photographs, but launches a new banking Trojan horse belonging to the three-year-old “Banload” line instead, reports say. The malware identifies online banking sessions and attempts to redirect payments to other accounts.
Many security companies have recently snared malware packaged in bin Laden spam.
Symantec said it had found email messages touting photos and video of the U.S. operation’s aftermath. The messages, which so far have been written in French, Portuguese and Spanish, lead users to a fake CNN Web site where they are told to download video.
As in the F-Secure instance, the download is, in fact, a “dropper” that in turn downloads malicious code to the Windows PC.
Hypponen and others have reported that bin Laden scams are also spreading quickly on Facebook.
Playing on the reputation of Wikileaks, the organization that has leaked thousands of U.S. military and diplomatic messages during the last year, the Facebook spam “Leaked by Wikileaks” falsely prompts users with:
“Osama is dead, watch this exclusive CNN video which was censored by Obama Administration due to level of violence, a must watch”.
According to U.K.-based company Sophos, the Facebook messages don’t play video of the al-Qaeda leader’s death; instead, users are tricked into copying and pasting a line of JavaScript into their browser’s address bar.
The bin Laden Facebook con essentially dupes users into spreading the scam among their cache of Facebook friends, the JavaScript sharing the bogus news of the video by posting it to the friends’ “walls.”
“Any time you paste a script into your browser’s address bar, you’re effectively running code written by the scammers without the safety net of protection,” said Graham Cluley, a Sophos senior security technology consultant, in a post to his company’s blog.
According to security firm Commtouch, the cyber-criminals make money when users are eventually shunted to a marketing page that generates pay-per-click revenues.
Hackers and scammers are able to rapidly ramp up attacks whenever a major news story breaks by simply tweaking existing malware or schemes, Hypponen reported, adding that some of the processes for search engine poisoning are even fully automated, containing links to malicious sites.
“They automatically generate pages with worthless content, or sometimes with no content at all,” said Hypponen. “This works especially well when the news hasn’t yet been covered by a normal site. It’s possible for anybody to get their page within the top 10 [results] by being fast enough.”
It is expected that cyber criminals will continue to exploit bin Laden’s death for some time to come. “They usually keep trying longer than it actually works,” he said. “Most people won’t be falling for [such scams] for very long, but the video might work for a while, because I wouldn’t expect the U.S. to release a real video.”
Experts have also reported that part of the bin Laden campaigns included the first attempt by online crooks to push Mac-specific rogueware to Apple’s customers.
Read more about security in Computerworld’s Security Topic Center. And click here to see how LTI’s innovative approach and established commitment to providing top-level security make the Company an industry leader worldwide.